Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: TMG Firewall Client long host entry exploit attempt

From: simegnew yihunie <syihunie () gmail com>
Date: Mon, 3 Mar 2014 17:39:31 +0300
Hey Guys,
I want to know about how much time each packet spent in each components of
snort like packet decoder, preprocessor, detection engine--- . So that I
know which is intensive component of snort. any one know how to do this ?



On Mon, Mar 3, 2014 at 4:11 PM, Joel Esler (jesler) <jesler () cisco com>wrote:


Can you capture a session so we can troubleshoot?

--
Joel Esler
Sent from my iPhone


On Mar 3, 2014, at 6:28, "Carlos G Mendioroz" <tron () acm org> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joel Esler (jesler) @ 03/03/2014 00:53 -0300 dixit:

On Mar 2, 2014, at 4:05 PM, Carlos G Mendioroz <tron () acm org
<mailto:tron () acm org>> wrote:


Signed PGP part Thanks Joel, as I said, that one is like sweeping
under the carpet, right ?


No, any Snort instance should be tuned to its environment.


I would concurr if the rule had some known false positives (none
documented) or if I was running some particular soft that could
be causing benign triggers, which I'm not.

That being the case, it seems a good case to troubleshoot the rule,
either it or my installation has some fault.



Snort is surprisingly quiet too. Other than this, it seems all
the bad guys went on vacation...


Try running with "-k none" turned on.


I will, but I fail to understand why. I'm not seeing cheksum errors.
In fact, in 10 minutes I have now (after suppressing 3:19187 and adding
- -k none) some 3:21355:2 - mismatched txid.

Fact is, I checked one of the triggering events and the TXID was ok.
(answer had same TXid as query).

- -Carlos



-- *Joel Esler | *Threat Intelligence Team Lead |Open Source
Manager | Vulnerability Research Team




On this one, it seems that the rule is triggering on answers to a
ROOT dns query. That one also makes me wonder why is bind asking
for that.

-Carlos

Joel Esler (jesler) @ 02/03/2014 17:59 -0300 dixit:

The easiest way to deal with this one is, if you aren't running
the tmg firewall client, shut the rule off.

-- Joel Esler Sent from my iPhone


On Mar 2, 2014, at 6:51, "Carlos G Mendioroz" <tron () acm org

<mailto:tron () acm org>>

wrote:

Hi, I've recently installed snort on a home border server.
(again, this is a complete re-install of my place
infrastructure :)

I keep snort running, not frequently updated, just to have
some sense of activity. Upload alerts to dshield too.

This time, snort remained way too silent. But 3:19187:2 is
firing with many of my server's DNS queries. (bind9 forwarder)

I've search for clues but this seems to be an so rule and I
don't know how to troubleshoot this. I guess I can disable the
rule, but that's just going to hide the issue. I do have a
capture of one incident triggering the rule, not that it is
difficult to reproduce (

Help ? TIA,



------------------------------------------------------------------------------




Flow-based real-time traffic analytics software. Cisco certified
tool.

Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow
Analyzer Customize your own dashboards, set traffic alerts
and generate reports. Network behavioral analysis & security
monitoring. All-in-one tool.



http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk




_______________________________________________

Snort-users mailing list Snort-users () lists sourceforge net

<mailto:Snort-users () lists sourceforge net> Go to

this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users



Please visit http://blog.snort.org to stay current on all the
latest Snort news!

-- Carlos G Mendioroz  <tron () acm org <mailto:tron () acm org>>


- --
Carlos G Mendioroz  <tron () acm org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlMUZ0AACgkQ7qM4U9dTH3+29gCfREkEC/wuraIhOq6WM+fdUsol
DAAAoIhu8Fd6SG1BGo/VSb48Jr03xu0Q
=ZuaT
-----END PGP SIGNATURE-----



------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to
Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works.
Faster operations. Version large binaries.  Built-in WAN optimization and
the
freedom to use Git, Perforce or both. Make the move to Perforce.

http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!


------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: